Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
1www.jacksonlewis.com
IntroductionThe Massachusetts Office of Consumer Affairs and Business Regulations (OCABR) announced on November 4, 2009, the filing of final identitytheft/data security regulations with the Secretary ofState’s office, the final step before the regulationstake effect on March 1, 2010. Many businesses arenow beginning to think about what they need to doto comply. This Special Report, with checklists,and our companion webinar will help busi-nesses prepare for the new regulations.More information about data privacy and securitydevelopments and resources can be found atwww.workplaceprivacyreport.com
The regulations apply to any business or individualthat owns or licenses personal information (PI) abouta Massachusetts resident, and establish minimumstandards for protecting and storing such informa-tion. One owns or licenses PI when one “receives,stores, maintains, processes, or otherwise has accessto personal information in connection with the provision of goods or services or in connection with employment.”
PI is an individual’s first name (or first initial) andlast name in combination with: (i) social securitynumber, (ii) driver’s license number, (iii) state identification number, or (iv) financial account,debit or credit card number contained in paper orelectronic format.
The regulations require covered entities develop,implement and maintain a comprehensive informa-tion security program to protect personal informa-tion. The program must be written (WISP). Inevaluating compliance, the following items shouldbe taken into account:
• the size, scope and type of business,
• the amount of resources available,
• the amount of stored data, and
• the need for security and confidentiality of both consumer and employee information.
Compliance Checklists The following checklist outlines the items required to achieve compliance with thefinal data security regulations issued in Massachusetts.
INSIDE THIS ISSUE:
Massachusetts Data SecurityCompliance Checklist:Minimum “WrittenInformation SecurityProgram” (WISP)Requirements
Additional Requirements if Personal Information isElectronically Stored orTransmitted
Management EducationalOpportunity
2
3
4
A BULLETIN ON EMPLOYMENT, LABOR, BENEFITS AND IMMIGRATION LAW FOR CLIENTS AND FRIENDS OF JACKSON LEWIS LLP
Winter 2010
All We Do Is WorkSM
Massachusetts Identity Theft/DataSecurity Regulations Effective March 1, 2010 – Are You Ready?
• SPECIAL REPORT •
In General:• Program must be in writing.• Program must be developed, implemented,
maintained and monitored.• Program must have administrative, technical,
and physical safeguards and be reasonably consistent with safeguards for protection of personal information and information of a similarcharacter set forth in any applicable state or federal regulations.
Appoint Key Person:• Designate one or more employees to maintain
the program.
Risk Assessment: • Identify and assess reasonably foreseeable internal
and external risks to the security, confidentiality,and/or integrity of personal information.
• Evaluate and improve current safeguards foraddressing identified risks through such steps as:
• ongoing employee (including temporary and contract employee) training;
• ensuring employee compliance with policies andprocedures;
• detecting and preventing security system failures.
External Employee Access: • Develop security policies addressing whether and
how employees may keep, access and transportrecords containing personal information outside of the Company’s business premises.
Discipline: • Impose discipline when the Company’s program
is violated.
Protocols for Termination ofEmployment:
• Establish procedures to immediately stop accessby terminated employees to personal information
by physical or electronic access, such as deactivatingtheir passwords and user names, changing locks,retrieving IDs, and so on.
Oversee Service Providers. • A service provider is any person that receives, stores,
maintains, processes, or otherwise is permitted accessto personal information through its provision of services directly to a person that is subject to theregulations.
To adequately oversee service providers, the regulationsrequire that covered entities:
1. Take reasonable steps to select and retain third-partyservice providers that are capable of maintainingappropriate security measures to protect personalinformation consistent with the regulations and anyapplicable federal regulations; and
2. Require such service providers by contract to imple-ment and maintain such appropriate security meas-ures for personal information; provided, however, that until March 1, 2012, a contract in place prior to March 1, 2010, will be deemed to satisfy thisrequirement even if the contract does not require the service provider to maintain the appropriate safe-guards. However, these contracts should be amendedto include similar provisions as soon as possible, asthere may be similar requirements under federal orother states’ laws (such as HIPAA or data securitylaws in Maryland, Oregon or Nevada). Contractsentered into on or after March 1, 2010, must containappropriate language.
Physical Access and Storage: • Impose reasonable restrictions upon physical access
to records containing personal information, and storage of such records and data in locked facilities,storage areas or containers.
Monitor Security Program Performance: • Establish procedure for regular monitoring to ensure
the program is operated in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information, andupgrade information safeguards as necessary.
Annual Assessment of Scope of Security Program:
• At least once per year (or whenever there is a material change in business practices that reasonablyaffects the security or integrity of records containingpersonal information), review the scope of the program’s security measures for adequacy.
Document Breach Response: • Document steps to respond to breach of security
and post-breach review of events and actions taken,if any, to make changes in program.
2www.jacksonlewis.com
Massachusetts DataSecurity ComplianceChecklist: Minimum“Written InformationSecurity Program”(WISP) RequirementsRequirements for Every WISP
EDITORIAL BOARD:
Howard M. Bloom(617) [email protected]
Matthew A. Porter(617) [email protected]
Roger S. Kaplan(631) [email protected]
Mei Fung So(212) [email protected]
This update is provided for infor-mational purposes only. It is notintended as legal advice nor does itcreate an attorney/client relation-ship between Jackson Lewis LLPand any readers or recipients.Readers should consult counsel oftheir own choosing to discuss howthese matters relate to their indi-vidual circumstances. Reproductionin whole or in part is prohibitedwithout the express written consentof Jackson Lewis LLP.
This update may be consideredattorney advertising in somestates. Furthermore, prior resultsdo not guarantee a similar outcome.
Jackson Lewis LLP represents man-agement exclusively in workplacelaw and related litigation. Ourattorneys are available to assistemployers in their complianceefforts and to represent employersin matters before state and federalcourts and administrative agencies.For more information, please con-tact the attorney(s) listed or theJackson Lewis attorney with whomyou regularly work.
© 2010, Jackson Lewis LLP
JACKSON LEWIS MASSACHUSETTS OFFICE
Jackson Lewis LLP75 Park Plaza, 4th floorBoston, MA 02116Phone: (617) 367-0025Fax: (617) 367-2155www.jacksonlewis.com
The additional elements below apply at a minimum, and to the extent feasible:
• to every person that owns or licenses personalinformation about a resident of theCommonwealth and electronically stores or transmits such information, and
• be part of a security system established and maintained by such person that covers the per-son’s computers, including any wireless system.
Implement Secure User AuthenticationProtocols that:
• control user IDs and other identifiers;• reasonably secure method of assigning and
selecting passwords, or use of unique identifiertechnologies, such as biometrics or tokendevices;
• control of data security passwords to ensure thatsuch passwords are kept in a location and/or format that does not compromise the security of the data they protect;
• restrict access to active users/user accounts only;and
• block access to user identification after multipleunsuccessful attempts to gain access or the limitation placed on access for the particular system.
Implement Secure Access Control Measures that:
• restrict access to personal information to thosewho need such information to perform their jobduties; and
• assign unique identifications plus passwords,which are not vendor supplied default pass-words, to each person with computer access,that are reasonably designed to maintain theintegrity of the security of the access controls.
Encryption: • Encrypt all transmitted records and files
containing personal information that willtravel across public networks and transmitwirelessly.
Mandatory Encryption for PortableDevices:
• Encrypt all laptops or other portabledevices that store personal information.
Monitor IT System Use and Access: • Perform reasonable monitoring for
unauthorized use of or access to personalinformation.
Firewall/Malware/Virus Protection: • Implement reasonably up-to-date firewall,
system security agent software, malwareand reasonably up-to-date patches and virusdefinitions that are reasonably designed tomaintain the integrity of the personal infor-mation on a system connected to Internet.System also should be designed to receivecurrent security updates on a regular basis.
Training: • Train and educate employees on the proper
use of the computer security system and the importance of personal informationsecurity.
3www.jacksonlewis.com
The following checklist outlines additional items for electronically stored or transmitted personal information.
Additional Requirementsif Personal Information is Electronically Stored or Transmitted
4www.jacksonlewis.com
To update contact information, orfor any other request or commentregarding your complimentary subscription to this publication,please send an e-mailto:[email protected];
or postal mail to: Jackson Lewis LLP, 59 MaidenLane, 39th Floor, New York, NY10038, Attn: Client Services.
Please include the title of this publication in all correspondence.
Jackson Lewis LLP represents management exclusively in employment, labor, benefits andimmigration law and related litigation.
The firm has 45 offices and more than 600 attorneys.
Jackson Lewis represents employers before state and federal courts and administrative agencies on a wide range of issues, including discrimination,wrongful discharge, wage/hour, affirmative action,immigration, and pension and benefits matters.Jackson Lewis negotiates collective bargainingagreements, participates in arbitration proceedingsand represents union-free and unionized employersbefore NLRB and other federal and state agencies.The firm counsels employers in matters involvingworkplace health and safety, family and medicalleaves and disabilities.
MANAGEMENT EDUCATIONAL OPPORTUNITYFREE WEBINAR:
Massachusetts Identity Theft/Data Security RegulationsEffective March 1, 2010 – Are You Ready?
Access the webinar at: http://www.jacksonlewis.com/events/webinars.cfm
Jackson Lewis is pleased to provide employers with this Special Report and the companion webinar.
Albany, NY(518) 434-1300
Albuquerque, NM(505) 878-0515
Atlanta, GA(404) 525-8200
Baltimore, MD(410) 415-2000
Birmingham, AL(205) 332-3100
Boston, MA(617) 367-0025
Chicago, IL(312) 787-4949
Cincinnati, OH(513) 898-0050
Cleveland, OH(216) 750-0404
Dallas, TX(214) 520-2400
Denver, CO(303) 892-0404
Detroit, MI(248) 936-1900
Greenville, SC(864) 232-7000
Hartford, CT(860) 522-0404
Houston, TX(713) 650-0404
Indianapolis, IN(317) 489-6930
Jacksonville, FL(904) 638-2655
Las Vegas, NV(702) 921-2460
Long Island, NY(631) 247-0404
Los Angeles, CA(213) 689-0404
Memphis, TN(901) 462-2600
Miami, FL(305) 577-7600
Minneapolis, MN(612) 341-8131
Morristown, NJ(973) 538-6890
New Orleans, LA(504) 208-1755
New York, NY(212) 545-4000
Norfolk, VA(757) 648-1448
Omaha, NE(402) 391-1991
Orange County, CA(949) 885-1360
Orlando, FL(407) 246-8440
Philadelphia, PA(267) 319-7802
Phoenix, AZ(602) 714-7044
Pittsburgh, PA(412) 232-0404
Portland, OR(503) 229-0404
Portsmouth, NH(603) 559-2700
Providence, RI(401) 490-3444
Raleigh-Durham, NC(919) 854-0044
Richmond, VA(804) 649-0404
Sacramento, CA(916) 341-0404
San Diego, CA(619) 573-4900
San Francisco, CA(415) 394-9400
Seattle, WA(206) 405-0404
Stamford, CT(203) 961-0404
Washington, D.C. Region (703) 483-8300
White Plains, NY(914) 328-0404
JACKSON LEWIS OFFICES: